Skip to content

Site navigation

Cyber Security according tio NIS2

In the Czech Republic, a new cybersecurity law will come into force on the 1st of November 2025, transposing European Directive (EU) 2022/2555 (NIS 2 Directive) into national law. Czech companies are therefore required to check whether they fall within the personal and material scope of the law and what specific legal obligations this entails for them. If necessary, appropriate organisational and technical measures must be implemented to ensure the cybersecurity of the information and communication systems they operate.

Companies that fall within the scope of the law are required to identify and register themselves within 60 days of its entry into force. In addition, they must implement effective measures to meet the legal cybersecurity requirements within one year of registering with the National Authority for Cybersecurity and Information Security (NUKIB).

Which companies are covered by the law?

The law applies to companies that cumulatively meet the following requirements:

1. Activity-related criterion (segment)

The company provides at least one of the regulated services listed in Annexes I or II of the NIS 2 Directive.

2. Impact criterion

Within the regulated area of activity, the company meets the so-called impact criteria. This is particularly the case if the company:

  • is classified as a medium-sized or large enterprise, i.e. it has at least 50 employees or an annual turnover or balance sheet total of at least EUR 10 million (approx. CZK 250 million), or
  • acts as an essential service provider for a company that is itself subject to the scope of the NIS 2 regulations.

It is the responsibility of the respective company to check whether these requirements are met. To support this self-assessment, the National Authority for Cyber Security and Information Security (NUKIB) provides a publicly accessible online calculator, which can be accessed at the following link: https://portal.nukib.gov.cz/kalkulacka

Which services are subject to regulation?

Regulated service
Public administration
Energy – Electricity, oil and petroleum products, gas, heating, hydrogen
Manufacturing
Food
Chemical
Water management
Waste management
Transport – air, rail, water, road
Health
Science, research and education
Postal and courier services
Military industry
Space industry
Digital infrastructure and services
Financial market

What are the obligations of affected companies?

Companies that fall within the scope of the new Cybersecurity Act are required to identify themselves within 60 days of its enforcement. As part of this self-identification process, they must assess whether and to what extent they are subject to the statutory cybersecurity requirements, in particular whether the regulations with lower or higher requirements apply to them, and what specific rights and obligations arise from this. If a company provides several regulated services that are subject to different levels of regulation, the requirements of the highest level of regulation apply to all regulated services provided by that company. A company is always subject to only one uniform regulation.

Companies that are classified as regulated companies must register via the internet portal of the National Authority for Cybersecurity and Information Security (NUKIB). NUKIB confirms the registration by issuing a corresponding decision on the registration of the regulated service.

The effective technical and organisational security measures required by law must be implemented within one year of registration at the latest.

What security measures must be introduced?

The law distinguishes between two levels of security obligations: a lower level and a higher level. Companies subject to the higher level must meet all the requirements of the lower level and also implement additional organisational and technical security measures.

A) Scope of the lower obligations

  • Small and medium-sized enterprises: applies to companies that do not provide critical or strategically essential services.
  • Less critical services: companies whose services are not considered strategically important for the digital infrastructure.
  • Reduced security requirements: the requirements for organisational and technical measures are less stringent than at the higher level.
  • Less frequent audits: audits and checks are carriedoutat longer intervals and are less detailed.
  • Reporting of cyber incidents: obligation to report security incidents within 72 hours of becoming aware of them.

What organisational measures need to be implemented?

  • Ensuring cyber security (overview of security measures, responsibilities, security policies, security documentation, relevant contracts with suppliers)
  • Human resources security (policies, cybersecurity training for users)
  • Access management (unique identification, password rules, restriction of administrator and privileged access)
  • Resolution of cybersecurity incidents (reporting and assessment)
  • Continuity management (procedures for restoring primary assets, responsibilities, data backup)
  • Identity and authorisation management (identity management, MFA)
  • Communication network security (segmentation, perimeter protection, VPN use)
  • Cybersecurity incident detection and recording
  • Application security (patch management, vulnerability testing)

What technical measures need to be implemented?

  • Communication network security
  • Communication management
  • Ensuring confidentiality and integrity through cryptographic algorithms
  • Use of tools to protect network security
  • Identity management and verification
  • Management of access authorisations
  • Event logging
  • Ensuring the availability of regulated services

B) Scope of the stricter obligations

  • Operating critical infrastructure: This includes organisations in areas such as energy supply, water management, healthcare and transport.
  • Provide strategic services: This includes telecommunications, financial services and parts of the healthcare system, among others.
  • Must meet stricter security requirements: Companies must implement more comprehensive technical and organisational measures and carry out regular risk assessments.
  • are subject to regular and in-depth audits: Companies are regularly inspected by government agencies, including detailed checks.
  • Report cyber incidents within 24 hours: There is an obligation to report security incidents to the competent authorities without delay.

What organisational measures must be implemented?

  • Information security management system (objectives, risk management, security policy, assessment of the effectiveness of the information security management system, review report, change management)
  • Security roles
    • Cybersecurity manager
    • Cybersecurity architect
    • Cybersecurity auditor
  • Management of security policies and security documentation
  • Supplier management
  • Change management
  • Acquisition, development and maintenance
  • Cyber security audit

What technical measures need to be implemented?

  • Privileged account management
  • Use of a SIEM system
  • Regular vulnerability testing
  • Penetration tests

How will you proceed after 1 November 2025?

  1. Assess whether your company is subject to the provisions of the law and whether the lower or higher obligations apply.
  2. If affected, you must register with the National Cyber Security Authority via the NUKIB portal.
  3. Implement appropriate technical and organisational measures to ensure an adequate level of security for your systems and data.
  4. Ensure that cyber incidents are reported and comply with the basic rules of cyber security.
  5. Check the cyber security of suppliers and partners as well. If necessary, introduce minimum requirements for contracts and security standards to minimise risks in the supply chain.

Who is responsible for fulfilling these obligations?

Responsibility for implementing the obligations under the new Cybersecurity Act lies entirely with company management. Cybersecurity is therefore not purely a technical matter, but one of the company’s strategic priorities.

Company management must promote cyber awareness among employees, implement security procedures and ensure compliance with legal requirements.

If you are interested, we would be happy to assist you in preparing all the necessary documents and implementing the necessary measures.